Q&A

Q&A with Sami Laiho on Implementing Privileged Access Workstations

A Windows security expert explains why PAW should be the default setup for all organizations -- and why IT pros neglect it at their peril.

• By Gladys Rama
• 06/02/2022

As one of the world's leading experts in Windows and Windows security, Sami Laiho considers priviledged access workstations (PAWs) absolutely critical for network protection. "If you can RDP into a server or a jump server from any computer in your network, you are in trouble," he warns.

Laiho is one of many IT luminaries presenting at the upcoming TechMentor conference taking place Aug. 8-12 in Microsoft's Redmond, Wash., headquarters. His session, titled "Implementing Privileged Access Workstations," promises to explain why PAW should be the default setup for organizations both large and small -- and why IT pros neglect it at their peril.

We caught up with Laiho recently to explain the basics of PAW ahead of his TechMentor presentation.

Redmond: Can you describe what exactly is a Privileged Access Workstation? Why is it so important? (And, for that matter, why would organizations ever fail to implement it?)
Laiho: PAW is a computer that can manage the company domain and its services. It is a more secure endpoint that can access management interfaces but can't access the public Internet resources.

It has great powers but potential of causing a companywide outage.

How have the recent remote and hybrid work trends changed the way IT needs to manage corporate networks, especially when it comes to PAW?
From the PAWs, perspective nothing has changed really. Only change is that there needs to be a secure VPN connection or such to the corporate office. When talking about Azure AD, nothing has changed.

How is PAW implementation different for a small business versus an enterprise? Is there an ideal limit to how many workstations can have the ability to manage the environment?
Smaller companies many times just need to create a "PAW" concept by limiting access to management interfaces from IT-admins' computers but not necessarily dedicated PAWs. Bigger environments usually prefer dedicated VMs or physical devices for PAWs.

Even if you limit privileged access to just one workstation, you still need to take steps to make sure that one workstation is totally secure, right? How should IT go about this?
These PAW computers have more strict security settings, and they cannot browse the Internet, at least unrestricted. They don't have Office installed and are not used for reading e-mail. The admin users that would normally get full privileges on endpoints don't have admin privileges on these PAW machines.

What's the worst-case scenario if an IT team doesn't implement PAW properly? Do you have any first-hand disaster stories that you can share? (You don't have to name names!)
RDP is nowadays known as "ransomware deployment protocol." There are hundreds of cases where the company secretary computers have been used to access RDP on domain controllers. Some studies show that three-fourths of breaches started with RDP connections. That would not have been possible with the PAW concept in place.